Computers, Privacy & the Constitution

Background

In the last class on PartFour I proposed the idea of regulating forgetting, forcing data keepers to sunset data. Eben raised First Amendment issues with that proposal, which I think are compelling. However, there may be other sorts of information practices which could be mandated through regulation on government and third parties that may not raise such concerns and that would be useful for providing some protection against losing our identity to those who aggregate information about our lives. Perhaps we can use this space to think of a set of information practices that we would like to see codified, and discuss whether this is a worthwhile exercise at all.

Proposals

To start us off, in 1973 the US Department of Health, Education and Welfare released a code of fair information practices. See, Simson Garfinkel, Database Nation 13 (2000). The code had five tenants:

  • There should be no secret databanks.
  • There must be a procedure for a person to access their record.
  • The data should not be disseminated without the person's consent.
  • There must be a procedure for a person to correct misinformation.
  • There should be a responsibility imposed on organizations to ensure the accuracy of the data.

Another resource could be the Fair Credit Reporting Act.

-- JustinColannino - 15 Feb 2009


It seems to me that a number of the fair information practices (and the equivalent EU privacy scheme) run smack into first amendment concerns when applied to private parties (as opposed to the government):

(1) There should be no secret databanks and (2) There must be a procedure for a person to access their record -- we're not normally in the business of forcing people to reveal everything they may or may not know about other people. Isn't this a massive privacy invasion in itself?

(3) The data should not be disseminated without the person's consent -- this is a clear limitation on the content of a private party's speech

(4) There must be a procedur for a person to correct misinformation -- lots of case law about the unconstitutionality of analogous proposals for rights of reply to newspaper editorials, etc. Traditional 1st Amendment theory is that misleading speech should be countered by correcting speech, but noone is required to provide you with a forum (at their expense).

(5) There should be a responsibility imposed on organizations to ensure the accuracy of the data -- how is this not analagous to legislating the way in which someone thinks? Would you be in favor of legislating a general responsibility for people to ensure the accuracy of the data they use in making every day decisions?

If sunset legislation is meant to ensure that we retain the traditional practice of forgiving old mistakes, then I think you can achieve much of the same effect without going after the private parties collecting the information by forbidding the state from requesting information older than a certain number of years.

I recognize there are issues with the enforcement of such a limitation--if the data is valuable, people will find ways to get at it--, but I don't see how it is any harder to enforce then a sunset clause on data held by private parties.

-- AndreiVoinigescu - 16 Feb 2009


While I agree with Andrei's well reasoned points against the 1973 proposal to private parties in general, I think that it is overly simplistic to group all private information gathering and retention practices together, and then to condemn regulation on them all. For example, as noted previously, the Fair Credit Reporting Act was enacted to provide transparency in the methods of determining a persons creditworthiness. See, Fair Credit Reporting Act § 602. Also, regulations for fair information practices in certain industries could conform with and even enhance first amendment principals. For example, the American Library Association (ALA) has been fighting certain provisions in the Patriot Act that force libraries to hand over patron records to the FBI upon request. The ALA believes that the law has a severe chilling effect on free speech. Though their efforts to repeal the legislation has failed, the ALA's current solution is to severely limit record retention.

These are just two examples. I think we all agree that some fair information practices should be imposed on the government, but perhaps not always on private parties. Maybe the way forward, if this discussion has any value, is to think about when/whether information practices of private entities should be regulated. Does the Fair Credit Reporting Act go too far? Should something similar to the ALA's resolution apply to ISP's? To Google?

-- JustinColannino - 16 Feb 2009

 

Navigation

Webs Webs

r3 - 16 Feb 2009 - 20:44:27 - JustinColannino
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM